Facebook employees talk to visitors at a one-day Facebook pop-up kiosk in Bryant Park in New York City on Thursday. The company was fielding questions about its data-sharing practices and teaching users how to understand its new privacy controls. The next day, Facebook announced that a "bug" that had inappropriately shared users' private data — this time, their photos.

Timothy A. Clary
/ AFP/Getty Images

For nearly two weeks in September, developers who created apps for Facebook were able to access user photos that they should never have been allowed to see, the social media company announced Friday.

The "bug" affects users who gave permission to a third-party app to access their Facebook photos. Normally, that would only include photos that someone actually posted to their timeline.

But between Sept. 13 and Sept. 25, other photos were available, as well: Photos that a user posted to Marketplace, Facebook's platform for selling or buying goods. Photos posted to Stories, the platform for sharing images that disappear after 24 hours.

Even photos that were never actually posted on Facebook at all — if a user had started to post a photo, then changed their minds, that picture also could be shared with developers.

It didn't matter what privacy settings a user had placed on their images or posts.

It's not clear when Facebook discovered the breach, or how it was repaired.

Facebook has been under close scrutiny for how it handles — or mishandles — the massive quantity of user data it has accumulated.

This fall, Facebook announced that a security breach affected millions of its users and exposed their personal data, including information such as location and recent searches, to malicious actors.

And earlier this year, the Cambridge Analytica scandal revealed that millions of people had their data harvested without their consent, information that was then used to build profiles for political campaign purposes.